Archives:

The SAP Indirect Access landscape has changed. Over the past two years, we have seen high profile court cases, the emergence of big disputes through the media, and landmark announcements from SAP on pricing models.

With the Diageo and ABInbev cases allegedly exceeding a combined $675 million it is plausible that since the Diageo case emerged in February 2017 that claims could have topped the $1 billion mark.

In this article, we give our view on all the current market factors with a view to bringing together a balanced view of where SAP customers stand. This is our ultimate guide to SAP indirect access licensing today.

Why listen to JNC? Some of the biggest global SAP users, law firms, and consultancies that we have worked with willingly and consistently testify that JNC is the leading experts in SAP licensing and more specifically SAP Indirect Access.

Indirect Access as it is today

Indirect Access is a bit of an overused phrase. In reality, you have licensed the use of third-party applications interfaced to SAP, and you have unlicensed usage. There is no magic license type for indirect usage, where in fact the SAP price list contains package and named-user license types adequate for the purpose. The challenge is knowing what licensing is and isn’t applicable in each case.

The question normally asked of us is: “do we have any indirect access”. The concern is that if the answer is yes that it’s going to cost you big, which isn’t necessarily the case. It’s highly likely that most medium to large scale enterprise will have third-party systems interfaced to SAP. The question should be “do we have the adequate licensing entitlement for the third-party systems we have interfaced to SAP ERP, and how they are being used”. Guess what, you may already have adequate entitlements or maybe just require more of an existing entitlement.

Practical Example

(Hypothetical)- “Web-Order-Central” enters 250,000 externally created sales orders into SAP in addition to the 250,000 entered directly by named-users. The client has the S&SOP package license (applicable if already on your exhibit) and has an entitlement of 300,000 orders. To many, this is a concern due to the shortfall of 200,000. Whereas in fact it could be adequately licensed usage. Where named-users have the right to enter orders into SAP, a unit of S&SOP is typically only required for externally created orders. So the 250,000 orders created by “Web-Order-Central” are covered by the 300,000 entitlement. This issue can be exacerbated by the fact that standard SAP audit tools typically don’t distinguish internally and externally created orders, measuring 500k orders versus an entitlement of 300k, making it look like a risk when the customer’s contracts and entitlements prove that not to be the case. As this is the Order-Cash-Process, apparently SAP’s new policy is not to charge named-users in this case, only the order processing package licensing is required.

Resolving Claims

JNC resolve most proactive indirect access reviews by establishing either a term of use in the contract that supports the usage in question or a package license or surplus of named-user licenses that are adequate to cover the as of yet unaccounted for indirect usage. In some cases, a customer has the right licenses just not the right quantity and the issue can be resolved without any fuss by simply by buying extra licenses in a smart way, for example as part of another purchase for another purpose. There is no need for concern unless unlicensed usage exposure is identified and to what extent. So the bottom line is don’t accept a proposal for indirect usage licensing unless you have read your contracts and checked existing entitlements.

We have successfully defended numerous indirect access licensing claims by identifying terms of use exist in the contract that caters for the usage in question, that somehow had previously remained undiscovered by SAP and the customer. It isn’t always that simple and sometimes we are required to re-frame SAP’s interpretation of the usage in question by clarifying technical and functionally what’s actually going on and why that doesn’t qualify as unlicensed usage under the terms of the contract. Remember, your contract is King.

So indirect access is a contractual issue first, and an entitlement issue second. If it’s still an issue after that and technical changes aren’t feasible then license fees might then be owed to license the usage compliantly in accordance with your contract. Furthermore, if you honour the trust model (disclosure versus discovery) you can avail of the licensing you require whilst retaining discount privileges. Whereas discovery of unlicensed usage by SAP typically results in list prices taking precedence, which could cost significantly more.

Why does Indirect Access even exist?

I have read a lot of SAP bashing around Indirect Access but I have two important points to make that are fundamentally important. The terms and conditions SAP typically rely on to pursue additional licensing fees for the use of third-party systems interfaced to SAP were introduced into contracts to combat license fee evasion. This is where a firm avoids paying licensing fees to SAP by putting third-party application between a group of users and SAP. The same transactions occur in SAP via an interface, only the users don’t have direct access or an SAP login and so “don’t require a license”. SAP is entitled to protect themselves against such practices. Secondly, SAP is entitled to pursue customers for unlicensed use of their software. There is nothing fundamentally wrong with this so long it is done fairly and proportionately. The issue, in our opinion, is this has not always been the case.

It appears, apparently, in my opinion, (disclaimer!) that Indirect Access may have been used as an under-hand revenue-generating opportunity and as a beating stick to influence customers to buy into their SAP HANA and Cloud strategies. What do I mean? Well, it is feasible, potentially, (disclaimer!) that SAP could excuse discovered “non-compliant” use of third-party systems in exchange for investment in SAP HANA and Cloud product licensing in order to achieve broader customer alignment to these strategies. We have seen plenty of customers with unused HANA and Cloud license assets that appeared to be tied to a licensing dispute settlement, sometimes as a result of an indirect access audit.

Haven’t SAP become more “Empathetic”?

If you are familiar with the announcement made by Bill McDermott at SAPPHIRE 2017, you will be aware they changed their rhetoric to being more empathetic whilst also balancing the need to protect IP. They also announced that named-user licensing would not be applicable in order-to-cash and procure-to-pay scenarios. There were also some strange caveats in that announcement like “so long as the customer is otherwise correctly licensed” (Hala Zain’s blog). So what if they aren’t? Back to a free for all? I have also been privileged to a document, allegedly leaked from SAP, upon which this announcement was based. The document uses wording such as “commercialisation” and “strategic pricing”. My view of the announcement and the new “modernised pricing”, is that now they have done so, and satisfied the communities calls for transparent pricing, they will expect all customer to come forward and disclose their potentially unlicensed indirect usage and pay up if indeed additional license fees are required.

Indirect Access is an issue primarily where justifiable claims are not proportionate to the business benefit achieved. Where SAP has gone wrong is that in many cases this has not been the case. Namely Diageo, where the claim totalled £54.5m versus a total enterprise-wide investment of in excess of £60m over a 10-year period. Proportionate? Secondly, indirect access is an issue where claims are made beyond the purpose for which the relevant terms and conditions were designed, which results in anti-competition.

Isn’t it OK now that named-user licensing isn’t applicable?

Not if they build the lost named-user licensing costs into the new package license pricing! Remember only a limited number of business processes have been covered so ask yourself, what of all the other scenarios in which third-party applications can be interfaced to SAP? Furthermore, as I currently understand it, the licensing metric now applicable for O2C indirect usage is Sales and Service Order Execution, i.e not Sales and Service Order Processing, and guess what, the S&SOE license is more expensive!

Rather than IP protection, Indirect Access has become anti-competitive and a commercialisation of digital transformation and innovation. Where companies are legitimately seeking to integrate best-of-breed leading-edge technologies because they are more fit-for-purpose than SAP’s own alternative, SAP is in essence double-charging customers. Where licensing fees for these software products are paid, SAP is expecting additional licensing fees due to them as well.

In our opinion, where a tender process is followed with the objective selection of a suitable software vendor, and SAP lose out, they should, in view of fair competition, accept that and move on. The customer pays the chosen vendor the licensing fees due for use of that software and they should be allowed to interface this system to SAP. End of story.

Sadly, it appears, the threat of Indirect Access is still being used to scare customers away from choosing other vendors. Take Salesforce vs SAP C4C CRM, or Workday vs SAP SuccessFactors, or IBM WebSphere vs SAP Hybris. Mentioning no names, I have been informed by a number of software vendors offering competing products to SAP, that SAP sales people are actively using the Indirect Access threat to scare customers away from competing products. How do the vendors know this? Because their customers are constantly voicing their concerns. Personally, I can’t validate this to be true but generally, there is no smoke without fire.

Top Tips:

Do you need a software tool to deal with Indirect Access? No! But they can be useful for interface discovery. Most of our clients themselves opt for a no-tool approach even though we present the options available.

Don’t make rash architectural changes before 1. checking your SAP contracts to be sure it qualifies, and 2. If it qualifies check entitlements to determine if you have adequate coverage.

Don’t be lured into a false sense of security. We may be witnessing the risk of the mass commercialisation of indirect access so there is, in fact, no better time to take action and understand where you stand.

If you have the S&SOP package license already, don’t be fooled into being lured onto the more expensive S&SOE license! Although if you have S&SOP to cover existing processes be sure to examine the use rights when considering what entitlement you need for any new processes.

In my opinion, terms and conditions and license models have been interpreted in a way that allows for large value under licensing claims to be presented, and then aggressively pursued in order to force quick settlements, which themselves are excessive. Customers are complaining about Indirect Access as being unpredictable and unreasonable. With great power comes great responsibility. In SAP’s case, it’s their responsibility to treat customers fairly. Only time will tell if SAP decides to change their stance on the subject and finally put customers fears to rest.

Get Ahead in 2018

JNC is doing a webinar – “Addressing SAP Indirect Access Licensing Risk”, in partnership with the UK & Ireland SAP User Group on Thursday 25th January 2018, from 10:00-11:00 am. As well as other topics we discuss how SAP customers can run Indirect Access Licensing Risk Assessments internally with minimal external support.

If you are a UK&I SAP User Group member click here to sign-up on the user group website.

How SAP Authorizations Management Impacts SAP Licensing Compliancy

Commonly, SAP licensing is measured based upon the entitled access of named user accounts within the SAP systems. From my experiecne as a license auditor, working with some of the biggest global SAP organizations, this is the most common licensing principle I’ve come across in SAP contracts. It does however depend on the specific conditions in your SAP contract where usage based terms can exist.

What does licensing based on entitled access mean?

In general, if users are entitled to use certain SAP functionality and perform specific tasks by way of designated access controls (SAP authorizations) then those users should be licensed in a way that reflects those permissions. If your contract stipulates licensing based on the authorized access and you have been licensing users based on what users are actually doing in those systems then there is certainly a potential risk of non-compliance.

In my experience, many customers have been licensing users based on what users are doing in SAP, based on the transaction codes those users have been executing. This is done by analysing usage data also known as STAD data. My professional opinion in these cases was that these customers were non-compliant and potentially significantly underlicensed. The shortfall in license assets held typically as result of being lured into a false sense of security by the usage based assessment of their licensing requirements.

“My professional opinion in these cases was that these customers were non-compliant and potentially significantly underlicensed”

A Practical example

A user has been assigned permissions to (1) create and (2) maintain purchase requisitions (Assuming Limited Professional Activity) and, additionally (3) maintain vendor master data (Assuming Professional Activity). According to the principle of licensing by authorized access and the associated user definitions in the customers contract, the grouping of these tasks requires a Professional license. However, through the customers own methodology of licensing users based on actual usage they have determined that the user has only created purchase requisitions (Assuming Limited Professional Activity) in the past year, therefore has assigned a Limited Professional license to that user. In the case of license by authorized access contract the user would actually require a full professional license to be compliant.

The question is, is the customer compliant with their contract or not? In my opinion, it depends on the definitions within that contract. If the user license definitions read like “An individual who is entitled to perform…” or “is authorized to perform” then this tells me that the customer is not compliant as they have licensed the user based on what the user has done not what the user can do.

License Audit Risk

The major risk here is of a License Audit. License Audit Workbench (LAW) is not capable of interrogating user authorizations to determine the actual license required. USMM, the measurement transaction merely gathers the customer assigned license type from the SAP systems. LAW consolidates all systems accessed to determine the prevailing license type for each user, where the highest usage takes precedence. This means that customers who are managing licensing based on usage data and not authorizations data could be significantly non-compliant to their SAP contracts. You can quite easily submit your USMM/LAW results year upon year without this issue every being raised. Because it doesnt show up in the data that USMM collects. In fact, this is one of the single greatest causes of large value non-compliancy claims. Where the customer has tens of thousand of users this can mean a compliancy gap of seven or even eight figures, which means a potentially costly license audit.

“Where the customer has tens of thousand of users this can mean a compliancy gap of seven or even eight figures, which means a potentially costly license audit.”

Possible Workarounds

If you as a customer are licensing users based on what named users are actually doing in SAP and not what users are entitled to do then there is a solution. Performing a redundant access clean-up project. This involves removing the redundant access provisions that have most likely accumulated over the years. In turn this has likely made your access controls and Segregation of Duties (SoD) risks increase or remain, and now is potentially causing you contract compliancy issues.

If you are relying on a SAM tool for peace of mind, again (which I have covered in a previous blog) then ensure that the tool is actually measuring your SAP landscape based on your SAP contract, not some ‘out of the box’ queries that are providing you with the figures you want to see not the figures that actually count.

If you are relying on some form of tool or script for output, whatever it is make sure that the output reflects your contract. If you are allowing SAP named users to accumulate access rights they potentially no longer need then consider a clean-up project. It will be a two in one win potentially reducing your business risks associated with SAP system access and potentially become more compliant with your SAP contract.

“If you are allowing SAP named users to accumulate access rights they potentially no longer need then consider a clean-up project”

Key Takeaways

The key takeaways from this article is to read your contract! Read the definitions of the user licenses that you have purchased and don’t google them to identify any generic user license definitions that are most likely not relevant to your organization. I would advise you trying to source information on SAP License Management and User License Definitions given that fact that they differ in every contract, and what matters to your organisation is written in yours.

Related Information

SAP License Audit Simulation – Measures actual usage of the SAP software according to contractual defintions comared to licensing entitlements held to determine your SAP liensing and Compliancy position. Our Audit Simulation identifies where redundant access clean-up can be performed in order to truly your optimize SAP licensing.

Written by James Cochlin – Principal Consultant and Consulting Director at JNC

Foreword: I work as an SAP License Management Consultant at some of the world’s largest SAP customers. The majority of those organizations are utilizing a SAM product, however in reality, some of these tools are redundant because they were poorly set-up, are lacking ownership, they are not measuring according to the customer contract, or simply put, not capable of measuring the customer’s environment.

Would I rely on a SAM Tool for SAP Licensing Compliancy?… No!

Sounds a little harsh but allow me to explain. I have and continue to work with numerous customers who have bought a SAM tool for SAP. They have set it up, and hey presto they think they are in control. Personally, I have a slightly different view based on my experiences and those of my clients. I would use a tool more as a radar, to provide license management intelligence to support decision making, however, I wouldn’t completely rely on it to ensure I am compliant. There is also the ongoing maintenance of your SAM tool updating any rules configured in the tool if you’re entitlement or the SAP landscape changes. Landscape changes affect what is being measured, and entitlement configurations affect what the measured usage is being compared to. Given the complexities of SAP licensing models, metrics and landscapes this challenge should not be underestimated.

A SAM tool will not fix your problems if you have any. It highlights them, therefore don’t underestimate any clean-up activities required once the tool is up and running. Otherwise, you’re still not compliant with your contract.

“Many SAP contracts are based on the authorization to use and most commercial SAM tools recommend license types based on actual use”

Also, beware of the authorizations vs usage licensing dimension. Many contracts are based on the authorization to use and most commercial SAM tools recommend license types based on actual use. In this instance acting on the outputs of your SAM tool measurements would create a significant non-compliancy issue, which could only be resolved by removing the authorizations to coincide with the new lower level license type assigned. Where SAP Role design is concerned this can open a significant and can of worms.

Is it possible to work without a tool? …Certainly

This depends on the entitlement help by any given customer. I have witnessed numerous contracts where the entitlement is very straightforward, to the point the customer only needs to control and monitor a limited set of attributes. In this case, a tool really isn’t necessary. Some customers have purchased a SAM tool where the tool is not benefiting the customer at all and therefore becomes redundant and unused.

The most important question to ask before asking “which tool”, is “do I need a tool”. An RFP process for a SAM tool should only be initiated on the basis of a strong and compelling business case providing the need with respect the estate and environment to be managed.

Look at The Entitlement First

Review your contracts, establish your entitlement and create your bill of material (BOM). Now you should have sufficient knowledge to determine what is required to measure your users and packages. Of course, seek advice from an SAP license management specialist to ensure you are not overlooking anything.

If you have a relatively “straightforward” entitlement, for example, a user heavy entitlement mix (users vs packages) made of Professional, Limited Professional and Employee Self-Service users it should be relatively straightforward. An understanding of definitions and the correct technical management processes should suffice. There are of course other considerations and complexities to factor in, which I will come to later.

Let’s Get Technical!

There is no better way of illustrating the point that a good practical example. The below table shows possible software use rights associated with, for example, and ESS License, and A Professional User License. All SAP contracts provide actual definitions for each license type more or less outlining what each license type allows a user to do in SAP.

Below is an illustration showing three SAP Users: John, Jane and Alan. I can identify that John can only use SAP for typical self-service activities, therefore, I only need an ESS self-service license type. Jane and Alan can do a lot more than self-service activities, so automatically I would classify them as SAP Professional Users. The question is, do I perform a periodical self-assessment without the aid of a SAM tool and perform the checks manually using Excel or utilize a custom report in ABAP or similar. In this particular scenario, I would utilize manual checks or possibly create an excel macro to manage this.

Let’s use Jane as an example. The tool should tell me that Ciaran needs a Professional license type however he could be optimized, he could potentially have an ESS license as the tool has leveraged statistical data from SAP and has identified that he only uses the same permissions as me, John. Of course, this doesn’t mean that I can change Jane’s license type. It means I need to perform some clean-up activities against John’s privileges. Once done, I can re-assign him an ESS license type. Remember, it’s not necessary what you have done in the SAP system, it’s what you can do that really determines the license type you should have.

As is the case with SAP standard audit tools your typical SAM Tool is not capable of interrogating SAP Authorizations to the extent that is can at all times inform you of what license type each user should be assigned in addition to the license type they could be assigned. Thus, following the outputs without managing the impact of that change can result in non-compliant licensing of SAP users.

Something else to consider is licensing roles within SAP, if user privileges are the base to determining what licenses need to be assigned to end users then it makes sense to allocate a license to a role so you can track what licenses are required considering day to day user role changes in the system.

“Your typical SAM tool is not capable of interrogating SAP Authorizations to the extent that it can determine what should be assigned in addition what could be assigned”

End of Technical Overload!

“I have a large and complex landscape without transparent roles. We have an issue with maintaining consistent user Id’s?”….

The above statement is again all too common. Utilizing a SAM tool should be your GPS system to navigate through uncharted territory and help you maintain control of the as-is. Again, many of the issues raised through the above statement can be overcome utilizing SAP standard reports and components such as a GRC solution.

Let’s face it, with the exception of the entitlements, all the data needed to identify who needs what license is data held within SAP itself. A SAM tool should help you and it should guide you but you need to test the results produced by the tool to avoid the “blind leading the blind” scenario.

Conclusion

Don’t just fall victim to the sales hype around SAM tools for SAP. Really challenge whether or not you need one and consider what tools and management processes you can implement yourself to stay on top of SAP licensing.

JNC support customers with SAM Tool selection and our consultants can help design SAP License Management Frameworks, which provide the roles and responsibilities, processes and procedures, tools and techniques required to effectively manage and stay on top of SAP Licensing.

Indeed, there are many technical reasons why you could be non-compliant on SAP licensing. However, SAP licensing compliancy is as much to do with attitude and awareness as it is to do with knowledge and technical expertise.

There are many common misconceptions and assumptions that result in customers falling into a false sense of security and not taking the necessary precautions to protect themselves against licensing non-compliance. This article addresses the common predispositions that represent the biggest barriers to identifying risk and taking the necessary action with some tips at the end on how you can dig a little deeper.

1 – We have an excellent/special relationship with SAP…

An excellent relationship with SAP probably means you are spending money with them or at least they are still actively trying to court your organisation into buying more of the software products that you haven’t already bought! But what happens when your spending slows down, your SAP landscape stabilises or your ERP strategy changes? Maybe their position will change once your spending patterns change and you are no longer seen to be “aligned” with the strategic corporate product roadmap they would otherwise have you aligned to.

JNC has assisted many customers in this exact position angry and frustrated with an apparent change of tact by SAP and the way that non-compliancy claims suddenly arise. Some of SAP’s biggest global customer have fallen foul of non-compliancy to the tune of 10’s of millions. What happened to their special relationship? What makes you think that your “Special relationship” with is any more steadfast than theirs? If you are being told you have a “special relationship” and you are one of their “best customers”, just consider how many 1000’s have heard the same story. Always keep your software vendors at arms-length and don’t be lured into a false sense of security

“JNC have assisted many customers in this exact position angry and frustrated with an apparent change of tact by SAP”

2 – We deal directly with SAP for our licensing…

So does everyone, that is apart from those who buy through a third-party reseller, which itself probably leaves you vulnerable to even more risk. They get commissions and rebates from re-selling so the more you spend the more they make. SAP is the vendor so the majority of customers will deal directly with them via an account manager, but what difference does that make? All the more reason to think you are probably not getting the best deal if you are relying solely on the advice of the organisation selling you the product. There are numerous ways of getting a better deal and better value from your investment in SAP and this usually involves good vendor, supplier and procurement management, which means getting tough and not eating out of the palm of their hand.

JNC have observed some clients who have not been sold the right licensing in the first place, leading to future non-compliancy issues. Take sales and service order processing. JNC have seen a number of clients whose original system was designed to process sales and service orders, however, they weren’t sold the S&SOP Package license. These customers were charged many years later for this “under-licensing” despite having run SAP for years and despite submitting their LAW reports every year. Your sales exec is also very keen to make a sale so don’t rely on the vendors to have only your best interest at heart.

“JNC have observed some clients who have not been sold the right licensing in the first place, leading to future non-compliancy issues”

3 – We have been running SAP for years and have never had any issues…

This is potentially worse than if you had been notified of some minor issues along the way. At least then you would know where you stood and would be more mindful of the issue going forward. Otherwise, you could be non-compliant with no view of the extent of any issue and completely unaware of a hidden liability. If SAP has a positive account relationship to protect, i.e. a spending customer, they could allow non-compliancy to accrue without acting, as not to rock the apple-cart. From JNC’s experience there seems to be a lower limit to the value of SAP under-licensing claims so perhaps it has to reach a certain level before it becomes worthwhile.

Some of the biggest disputes that we have seen have hit customers who have been running SAP for 10, 15, 20 years who have used SAP for several years without any history of non-compliance. This could put you at greater risk. Has SAP issued you a certificate of compliance? Have they send you a letter or e-mail giving you a green light or clean bill of health following your annual measurement. Unlikely, and just because they haven’t said anything doesn’t mean there isn’t something there. So best you find out yourself where your business stands to protect yourself from large unexpected and unbudgeted costs creeping up and biting you.

“Some of the biggest disputes that we have seen have hit customers who have been running SAP for 10, 15, 20 years who have used SAP for several years without any history of non-compliance”

4 – We are running this and that SAM tool…

SAM tools certainly help make intelligence driven license management decisions, however software code is not intelligent by nature and I haven’t yet seen any AI SAM tools hit the market. JNC would certainly recommend some SAM tools for SAP as they can add value, however, we would never recommend relying completely on a SAM tool for SAP licensing compliancy. Human intelligence is always the key and always will be. SAM tools must be functionally capable, configured correctly and used correctly to be effective. SAM tools can’t adapt to complex contractual setups involving dozens of contract documents (i.e. they can’t just be fed in and uploaded) so SAM tools must be set-up and configured to measure against the actual license assets they have. Any what about the ever-changing license metrics and the varying written descriptions of any given license metric form contract to contract? Installing the software and getting it measuring your usage across complex data centre environments and systems landscapes also pose its challenges.

Once you do get set-up what happens when you buy more licenses and different types of licenses various complexities? What happens when SAP realise you have been using MySAP Business Suite licenses for use of SAP Business Objects when you should be using Business Analytics Expert Users licenses and they whip out the terms of use from 2005 and use them against you? What happens when you trade or terminate licenses form various agreements or agree on conversion credits for some of your perpetual license value towards cloud subscription licensing? How will you keep your SAM software up-to-date with what is invariably a moving feast? JNC have audited, and provided audit defence services, to several customers who were found to be significantly non-compliant despite running some of the best-known SAM solutions on the market. So, just because you have a SAM tool doesn’t mean you are compliant. To find out more about the strengths, weaknesses, Pros, and Cons of today’s top SAM tools you can read our article – The Truth About SAM Tools – which is dedicated to the topic and written by one of JNC’s leading consultants who has seen the effects of poorly chosen, implemented and managed SAM tools.

“JNC have audited, and provided audit defence services, to a number of customers who were found to be significantly non-compliant despite running some of the best-known SAM solutions on the market”

5 – Our support partner looks after our licensing for us…

Firstly, you may have lost control of your license management, putting blind faith in another organisation to get it right. Almost all of JNC’s customers (with licensing issues) have worked with a major SI or prominent SAP support partner and that didn’t prevent them falling non-compliant. We would gladly reference any particular provider who we observed bucking that trend but at present, there are none to speak of.

JNC have seen some serious cases of non-compliance where the partner has actually been culpable. We have even been in the middle of an audit simulation when serious levels of risk have been realized through poor administration as we were auditing, which didn’t go down well with anyone. So what assurances do you get from your support partner that your licensing is in order? What assurances do you have that they are right? The help of expert third-party support is always there for you if you want to know exactly where you stand. Assurance is a powerful thing.

“JNC have seen some serious cases of non-compliance where the partner has actually been culpable”

So, there you have it, some of the most common assumptions that prevent SAP organisations taking the necessary action to address SAP licensing and compliancy properly. Is your business guilty of any of these? Think hard about what factual evidence you actually have from properly qualified experts, demonstrating a compliant licensing position. If not you might want to think hard about getting specialist help with your SAP Licensing.

How to test your License Manager has their finger on the pulse…

Here are some questions you can ask your internal teams or support partner resources, and if you don’t get a straight, concise, and quantified answer then you could well have a problem.

What is our current entitlement utilisation as a % of our total SAP licensing entitlement?

Licensing entitlement units vary from metric to metric so the only consistent measure is value. So, if you have £5 million worth of SAP license assets a viable answer could be 80% meaning you are utilizing £4 million worth of your overall entitlement. For example, you may have 250,000 worth of GRC entitlement purchased on the revenue metric at 50,000 per billion. As your revenue is only 4 billion you are only utilizing 80% of your entitlement.

What is that figure split by named-user license and package licenses?

Just a further test of the above and how accurately they understand the licensing position in terms of the two license classes.

What is the value split between named-User and package licensing? Are we user or package heavy?

This really gives your business an indication of where to focus your attention. Managing a user heavy license estate and a package heavy license estate involve different processes, procedures, and techniques. Package and named-user licensing are completely different ways of licensing so software so it does make a difference.

Tell me the top assets nearing maximum utilization?

This is an indication that utilization levels are being monitored regularly. It is important to know when for example you have placed your 95,000th sales order when you hold entitlement for 100,000 sales orders. This is an indication you need to buy more otherwise you can fall non-complaint. If you fall non-compliant discount will be revoked and it can cost anywhere from 50% to 200% more to buy those licenses depending on the discount level that is revoked.

What is the split of our SAP package licensing between USMM Measurable, Self-Declaration business metric, and self-declaration technical (i.e. value derived from the system)?

This should be known as part of your measurement planning and a pre-requisite for a well organised, accurate and timely submission of your annual measurement.

These are all standard things that your licensing managers and administrator should know. They most certainly should if they are on top of things and if they are new they most certainly should be getting on top of them sooner rather than later.

Software License Audits are on the increase bringing unwanted business disruption and costly unbudgeted license fees. Can your business afford to be non-compliant?

Software vendors are increasingly resorting to licensing audits as a source of revenue with high fees being levied against the non-compliant use of their software. With SAP licensing models amongst the most complex and challenging to manage it is vital SAP end-users understand the main risk factors to ensure they are compliant and vendor audit ready.

In this article, JNC will draw on their extensive knowledge and experience of SAP license management, audit preparation and audit defence to highlight the key risk and issues around SAP licensing compliance and license audits.

SAP licensing compliance is certainly a high-profile issue. There is always plenty of noise in the media, and throughout the SAP end-user eco-system in general, regarding aggressive and costly license audits and high-profile court cases. This might be cause for concern for many SAP customers but do they fully understand the extent of the issue? Is it really enough to drive SAP customers to take action?

The fact of the matter is the problem is far more widespread than perceived. Only a few cases ever reach court with many more licensing disputes settled out of court before they make it that far. So in general SAP customer only see and hear is only the tip of the iceberg.

“The fact of the matter is the problem is far more widespread that perceived”

Why don’t we hear more about Licensing Disputes?

This is a product of how the vendor presents the dispute and what they do to achieve a settlement. From our experience SAP raise a dispute by presenting a headline figure, which is the maximum licensing fees they would be entitled to relate to the under-licensing detected and their interpretation of the customers SAP licensing contract. Typically, it comes unexpectedly from left field and is presented either as an order form with a deadline to sign or by way of a letter written to the finance director or another high-ranking company official. This creates a sense of concern and urgency and puts pressure on those responsible to resolve the issue.

When an offer is made to settle in a short time-frame for an amount significantly less than the “headline” figure, many firms sign on the dotted line as a quick and convenient way of avoiding prolonged business disruption and mitigating a potentially significantly higher cost. SAP much prefer a quick settlement over a difficult, time-consuming, resource-sapping and uncertain legal dispute. This can result, for argument’s sake, in the offer of a settlement for half to a third of the much more daunting “headline” figure.

As a consultancy, we tend too much busier around SAP’s end of quarter and end of the year. This is indicative of sales target shortfall and the vendor actively seeking revenue to hit sales targets. Otherwise, there would be no such pattern to these events, which draws into question the integrity of the claims that are being made.

“This is indicative of the vendor actively seeking revenue to hit sales targets”

When JNC are called in to help customers in this potion we see the same pantomime played out time and time again. Thankfully our knowledge and experience of licensing and vendor tactics help customers get the bottom of their actual compliancy position paying significantly less and sometimes even nothing where compliant usage is successfully proven. Sadly, without expert help, most customers are not able to mount an effective defence to these scenarios and don’t have many alternative options.

Most firms also don’t like to broadcast non-compliance as it affects business reputation, stakeholder confidence and even share price. Most settlements are also made under strict NDA so the vendor holds just enough equilibrium to press ahead with this strategy without causing too many waves. Customers, therefore, feel they are in isolation whereas many other customers are in a very similar position.

In knowing, or having learned, how customers are likely to respond to this kind of tactics, could SAP be guilty of taking advantage? I’ll leave you to draw your own conclusions, however, If SAP customers were more aware of the hidden reality then licensing compliancy would probably rank much higher on the list of IT Director’s and CIO’s priorities.

“If SAP customers were more aware, licensing compliancy would probably rank much higher on the list of IT Director’s and CIO’s priorities”

So, how do licensing disputes to come about in the first place?

Typically, a licensing dispute arises from under-licensing detected as a result of an annual measurement or an SAP License Audit. Many SAP customers mistake their annual measurement with a license audit and it is important to understand they are two very different things as the risk is completely different. I have spoken to many SAP customers who claim they are fine with SAP licensing because they are audited every year. However, what they are referring to is the annual measurement, which is not comparable to a License Audit.

What’s the difference then, and what’s the impact?

Annual measurement is the process of reporting software usage data to SAP, where the customer is responsible for performing the measurement themselves. A License Audit is where SAP, either remotely or on-site, gather and analyse data themselves to determine a customer’s compliancy position. The issue is that LAW reporting provides very limited data to SAP, whereas a License Audit allows then to see much more of what is really going on the SAP systems. An example of the difference is that SAP standard audit tools USMM/LAW don’t interrogate user provisioning to determine what license type is required or to cross-check that the license type assigned is correct.

User provisioning is controlled by SAP Authorizations where a customer assigns authorizations to give users access to the transactions they need to be able to perform their job roles using the software. The customer must also assign each user a license type in each SAP system based on the level of authorizations they have. So USMM only reads what license has been assigned but doesn’t give any information on what license should have been assigned. If the licenses assigned match entitlements held the LAW report will not flag any issue. In an SAP License Audit, the auditors will interrogate this data and potentially discover that the license type assigned is non-compliant. So it is possible that licensing data submitted via LAW can hide the true picture. This is just one example of a number of risks which could lead to a costly SAP License Audit.

A practical example of this is where 1000 users are given limited professional licenses where they are authorized to carry out activity associated with full professional use. Where 1000 limited licenses are held and 1000 limited licensed users are measured there appears to be a match where in fact at list price this represents a circa €3 million risks. For discovered (versus disclosed) non-compliance SAP’s policy is to revoke discount, and are not obligated to trade for other unused assets. However, if you were to identify this shortfall position yourselves and notify SAP as such then you would be honouring what is described as their “Trust Model” where discount can be preserved and options of surplus asset trading can be explored. All the more reason to take action on licensing compliancy.

“Many SAP customers mistake their annual measurement with a license audit and it is important to understand they are two very different things”

Why are more companies not taking action?

SAP licensing compliancy is as much to do with attitude and awareness as it is to do with knowledge and Expertise. The purpose of this article, without documenting every risk and issue in detail, is to give Managers and Stakeholders more awareness about the potential risks of non-compliant software usage, inaccurate systems administration and measurement, and the ultimate risk of an SAP License Audit to help then decide if it’s in their interest to address the issue.

JNC’s SAP License Audit Simulation

JNC’s SAP License Audit Simulation service replicates the processes and methodologies of a full SAP License Audit and provide organisations running SAP with an Enterprise-wide view of the licensing and compliancy position giving them the insight and intelligence they need to identify and deal with licensing and compliancy risk in a commercially optimal way and mitigating the risks of an on-site audit.

On Thursday 16th February 2017 high court Judge Mrs Justice O’Farrell MBE, ruled that Diageo were liable to pay SAP additional licensing fees as a result of what is broadly known as Indirect Access. Diageo could now face a significant bill for licensing fees potentially in the tens of millions.

SAP brought the case against Diageo in October 2015, looking for £54,503,578 in licence fees, whilst seeking £3,955,954 in interest and back-dated software maintenance charges. Whilst the actual amount due has not been settled yet the case reaffirms the significant risk associated with indirect access licensing for SAP customers, particularly when interfacing third-party applications with SAP ERP.

This case centres around Diageo’s deployment of two systems built using the Salesforce cloud platform interfaced with mySAP ERP via SAP PI (interface engine) giving Diageo sales reps and business customers the ability to carry out sales and ordering related business activities via a web platform as opposed to dealing directly through Diageo’s call centre.

SAP and Diageo signed the initial agreement back in 2004 and the Gen2 and Connect systems, i.e those under scrutiny were deployed around 2011/12. The agreement included a number of clauses which collectively made provision for SAP to charge named-user license fees for users of third-party systems connected to mySAP ERP. The judge decided in favour of SAP ruling that the interaction of these systems with the SAP system constituted indirect access as defined in the contract and that Diageo was therefore liable for additional named-user licensing fees.

The judge decided in favour of SAP ruling that the interaction of these systems with the SAP system constituted indirect access as defined in the contract and that Diageo was, therefore, liable for additional licensing fees.

Part of Diageo’s argument was that the shift from performing these operations through their call centre to the new systems was in principle no different. The judge didn’t disagree that call centre operatives performing these activities on behalf of sales staff and business customers would require named-user licenses, however, in providing these users access to the SAP system indirectly they now required a named-user license as per her reading of the software agreement.

The case is not yet over as the hearing was fixed to make a judgement on issues of liability only and not quantum. Meaning that an accounting exercise is required to determine what licensing is applicable at what price based on the number of users and activities performed by them.

In my opinion, questions could be asked what knowledge SAP had of Diageo’s plans to deploy these systems and what advice or warnings were given to Diageo about the licensing impact. SAP is after all diligent in keeping in touch with customer’s technology road-maps in order to understand customers business needs, sell their products and maximise revenues. If Diageo had known or been made aware of the implications and sought a licensing deal with SAP in advance it surely would have been more favourable. However, once in the position of non-compliance, especially when adjudged by the high court, the leverage to negotiate is diminished significantly.

Ultimately though it is the customer’s responsibility to act compliantly with their software agreement. SAP operates a trust model that makes it possible for customers to deploy new SAP solutions and functionality and add named-users as they grow. However, they must notify SAP of any such usage in advance or within a reasonable timeframe such that the appropriate licensing fees can be paid. SAP is most certainly entitled to pursue customers for unlicensed and unauthorised use of their software. In Diageo’s case, the judge decided that the contract made clear references to the licensing conditions for indirect usage via third-party applications so were the risks properly considered?

Ultimately though it is the customer’s responsibility to act compliantly with their software agreement. SAP is most certainly entitled to pursue customers for unlicensed and unauthorised use of their software.

There are arguments and counter-arguments galore. The bottom line is that customers are responsible for being compliant and need to understand the licensing implications of their SAP technology road-map plans particularly in the case of indirect usage via third-party applications. How many more high-profile cases like this is it going to take before SAP end-users really sit up take notice and take action.

SAP offers two types of software licenses: perpetual and subscription-based. Currently, the perpetual type is the most used type. Over the years, I have seen the emergence of subscription-based licensing in the SAP domain as a more serious contender to the standard perpetual licensing model.

I have witnessed many Organisation begin to consider new subscription-based licensing as they seek to identify the most cost-effective and management friendly licensing model to suit their business.

The new licensing model drastically differs from the perpetual model. In-depth knowledge of both models is needed when strategic decisions need to be taken and when negotiations take place. But what exactly are the differences and how do you choose?

What is the difference?

A perpetual license is an entitlement for an unlimited period of time. With perpetual licenses, the bulk of the investment is made when purchasing the software. At that moment, the fee to acquire the license is paid and the software can be installed on an on-premise basis. Just to be clear: the software license does not include the right to use future releases of the licensed software. This because the perpetual license does not contain access to maintenance and support services. You’ll need a separate maintenance agreement to organize this.

Annual fees, based on a percentage of the value of the software, need to be paid to cover maintenance and support for the licensed software. So, after the initial investment, a yearly recurrent additional cost needs to be taken into account as well.

Key Points

The scope of the software license often covers only a subset of the capabilities of the actually delivered software. Licensees are only entitled to use those capabilities they have actually licensed.

It is very easy for usage of the software to exceed the functionality purchased if close attention is not paid to what has actually been purchased.

Subscription-based Model

So, what about the subscription-based model then? First of all: with this model, you only have the entitlement to use the software for a specific period of time. During this period, payment is done on a monthly basis. This payment allows you to use the software which is hosted at a remote location. Access to maintenance and support is included in the fee. You don’t need an additional maintenance and support agreement. Of course, since the entitlement is only valid for a specific period, licenses have to be renewed on a regular basis.

What are the advantages of the subscription-based model? Other than some generally well-known advantages (limited IT infrastructure etc.), the new model significantly lowers the barrier for new customers to get started with SAP software because of the low upfront capital cost. For existing customers, the new model gives them an option to transform their SAP licensing model from a capital expense to an operating expense model.

Moving Away From Perpetual Licenses

When moving from the perpetual to the subscription-based model, contract negotiation opportunities with both disappear and new ones arise. The conversion credit for old licenses is one of them. SAP used to give a credit when exchanging old software for newer products or when buying more of the same. Buyers will need to transform this well-known mechanism, which lowered the net price of the new investment, into fresh mechanisms applicable to the subscription-based model.

With perpetual licenses, contractual negotiations had to be done well but only once. Tailored terms and conditions, specific or long-term related clauses which needed to be negotiated only once, will now need to be negotiated whenever the entitlement comes to an end. Of course, also here, buyers will need to come up with the appropriate mechanisms to avoid this re-negotiation situation. It will be exciting to see how organisations will work this out together with SAP.

“When moving from the perpetual to the subscription-based model, contract negotiation opportunities with both disappear and new ones arise”

Key Points

Understand the details of both models. Good decisions are possible, only when you understand the details and consequences of each model.

Think strategically and long-term based. Depending on the situation you’re in, and the strategic decisions which were made, one model can be more favourable than the other.

Align your long-term strategy with the appropriate licensing model which may even be a mix of the two with models choosing specifically to the different products or solutions across the estate. Like HR based cloud solutions for example.

Be prepared the change your negotiation strategy when changing the licensing model. As discussed above, the two licensing models request different negotiation strategy. Prepare yourself before you start discussions.

Take Away Message

Understanding all facets of the two types of SAP software licenses is key. Both the perpetual and the subscription-based model have their advantages. Buyers need to prepare themselves and need to be wary. Speak to an actual SAP licensing specialist when (re-)negotiating agreements to make sure you get the best commercial deal and the best-fit licensing solution for your business.

A New access point, a new license?

SAP software licensing is based on two licensing components: package licenses and named user licenses. Package licenses give you the right to deploy and use the software. Named user licenses authorize an individual to access the licensed software.

But what happens when I would start using SAP mobile technology solutions? In other words, I want to use standard SAP or custom built apps running on employee smartphones or mobile devices, which connect to the SAP system. What implication will this have on the licensing I need and which options do I have?

So, how is it done?

Licensing mobile solutions is done on multiple levels. The first level is based on accessing the back-end data in (SAP) systems. Mobile apps read and or update data coming from (non) SAP systems. When data is read or transferred to or from a SAP system using a mobile application, users who indirectly access the system using the app will need a Named User license. This is, of course, only the case if the user who holds the device does not yet have an appropriate Named User license. If they do this license may also cover this usage as long as this is covered by the license type definition in the contract. If this is the case then no additional license would be required. If not and the usage of the mobile solution exceeds that covered by the existing license the user would need to be upgraded to a more expensive license type. Their previous license would then become available to be assigned a user who required it or reserved in the pool of available licenses. If their usage would now require a more expensive license type, one would need to be purchased as part of the next material procurement with SAP. It is possible to see how complex license management becomes and licensing mobile solutions provides additional complexities for license managers to consider

The second level is called the SAP Mobile Platform. This software is needed to build and deploy apps for iOS, Android, and Windows devices – as well as wearables and desktop apps. It allows you to customize pre-packaged mobile apps from SAP and its development partners. The Mobile Platform is also used for data integration across back-ends (SAP and non-SAP) and security administration. Furthermore, it allows you to deploy apps in the SAP Store. Different licensing and purchasing options are available for SAP Mobile Platform in its simplest form; Basic, Medium and Full Professional versions. You should choose the option which fits your needs. Licenses are to be paid for every person that will use the platform to manage and develop apps. The SAP Mobile Platform license is mandatory.

The third level is the mobile application itself. Here, everything is possible. You can simply buy apps from the SAP store, or develop your own apps on the Mobile Platform (if this functionality is licensed). For the apps you buy, you usually pay, per app, a license per user who will use the app.

Key Points

Licenses for mobile applications need to be paid per user, not per device. Just to be clear: one user using a mobile app on a tablet and a smartphone just needs one license for that app.

The SAP Mobile Platform license is mandatory. Even if you choose to run a standard app from the SAP store, you’ll need a license for the Mobile Platform. Of course, in this case, the basic version of the Mobile Platform will do.

Deploying mobile apps entails multiple levels of licenses. Depending on the plans you have with mobile solutions and the situation you’re currently in, costs can become significant. The fact that every user who relates on data coming from a SAP system needs a Named User license in that system is an important point that needs to be taken into consideration when choosing the mobile route.

“Licenses for mobile applications need to be paid per user, not per device”

Indirect Access Risk

Is the implementation and use of mobile solutions a form of Indirect Access? Well, it could be. If the application has not been licensed then it can be deemed to be a third-party supply chain system either creating, manipulating, or viewing data in the SAP system. Due to the ring fencing of development within the SAP Mobile Platform, this is only likely if the mobile solution in question has been developed independently or out with the SAP Mobile Platform. It is important that careful consideration is made before deploying and form of application in any environment with your SAP system. To read our Indirect Access article click here

Take Away Message

Eventually, adding an additional point to access your business data besides of your existing desktop login possibilities will not change much in licensing perspective. Only the license for the Mobile Platform and the app itself are required. Those costs are relatively low and priced per user. On the other hand, if you’re bringing new users with your mobile strategy to the SAP domain, they all will need a Named User license as well. And according to what I have encoutered this can incresease the actual cost of deploying mobile solutions significantly and unexpectedly.

SAP Indirect Access License Fees Can Be Significant and Unexpected

Interfacing third-party applications to your SAP system could cost you dearly, due to what SAP refers to as Indirect Access usage. Indirect Access has been around for a long time, although in recent years it has emerged as a hot topic in the SAP licensing world.

With claims for unlicensed Indirect Access usage by SAP reaching into the millions, even tens of millions, organisations can no longer afford to ignore the issue. This article addresses the key factors affecting Indirect Access licensing providing guidance on the best way to avoid significant and unexpected licensing fees.

Most people reading about Indirect Access are looking to establish a definition of Indirect Access, how it might affect their organisation, and what they can do about it. As such we have organised this article under logical headings, so you can get the information you need:

Indirect Access Definition.

Examples of Potential Indirect Access usage.

Indirect Access FAQ’s.

Addressing Indirect Access Risk.

Managing Indirect Access Risk.

Indirect Access Conclusion.

Indirect Access Definition

According to SAP, all usage of the SAP systems needs to be licensed. Indirect Access is a user or third-party application creating, manipulating, or viewing data in the SAP Systems via an interface between the third-party application and SAP. Technically, Indirect access occurs when data communication is executed remotely using SAP’s remote protocol RFC (Remote Function Call). If data is created, manipulated, or viewed in the SAP systems indirectly via a third-party application, that usage needs to be licensed according to SAP’s named-user licensing definitions.

Here’s the definition is taken from the current SAP System Measurement Guide – Version 7.0 (Jan-2017):

Quote:

13.8 Indirect Use

Named users are also upstream and intermediary technical systems that exchange information with the SAP software system, as well as the users of those systems, if the users exchange information with the SAP software in dialogue or prompt mode. It makes no difference whether the software is accessed directly or indirectly (see the indirect use information under section “1.2 Named Users”). In the case of indirect use of SAP software, you should provide SAP with the number of external named users.

1.2 Named Users

A named user is an employee of a customer, of its affiliated companies, or of third-party companies authorised to access the licensed software directly or indirectly, regardless of the technical interface chosen. All employees who use the SAP software require a license and must be set up as dialogue users. SAP is entitled to require that the customer declares the number of external named users and produce a stipulated statement from each external named user concerning compliance with the restrictions applying to licensed use and confidentiality.

Indirect Use

Named users primarily use the SAP software. Users from upstream or interposed technical systems require licenses as named users if they exchange information with the software in dialogue or prompt mode, regardless of whether the software is accessed directly or indirectly. If redundant functions that are also available in the software are used in upstream or interposed systems that access the software, the users of these redundant functions also count as named users, even if the data is transferred to the software in background processing (that is, not dialogue related). Indirect access means that the user is communicating with a system upstream from the SAP software that transfers communication activities to the SAP software installation or otherwise accesses the SAP software or uses its functions. In particular, the following are examples of indirect use:

Users in an upstream system enter or make data available that is transferred to, or interacts with, the SAP software – for example, order entry in a mobile system, or users of a portal to the extent that they use functions of the software.

Users operate non-SAP software to access data that is read, modified, or stored using SAP software and for which they use SAP programs such as the BAPI® programming interface, remote function calls (RFC), or transaction calls.

Un-quote

in the same document repository under a different menu is “SAP System Measurement Guide – Version 7.0 Updated August 2015”, which does not contain the above definitions! Both versions of the guide were available on SAP’s website at the time of writing this article…

A third-party logistics provider using a handheld device in the warehouse and accessing SAP ERP to get data on materials or stock movements.

Using Salesforce to view customer master data that resides in SAP ERP.

To understand if any given interface or third-party system scenario constitutes Indirect Access you must first examine the nature of the usage, and how data is being exchanged to and from SAP. Primarily, the risk of indirect access resides in your contract, so your SAP contract will be the key in determining if that usage constitutes Indirect Access and if you could be liable to pay SAP additional licensing fees.

“Primarily, the risk of indirect access resides in your contract”

About Indirect Access

Although many organisations are not aware of it, interfacing SAP data into third-party applications and how users use that data, must be considered carefully from an SAP licensing perspective. An application interface may only require one user ID to access SAP and retrieve the data, this is not adequate for SAP licensing purposes. Generally speaking, if 1,000 external users use this data indirectly in an online (dialogue or prompt) manner, then 1,000 named-user licenses would be required to cover this indirect access to SAP.

Why is Indirect Access such a hot topic right now?

There is a notable correlation between the global financial crisis and the emergence of Indirect Access. Firms spending power shrunk, and growth shrinkage resulted in less re-occurring annual licensing demand. With spending power and growth slowing down SAP have had to resort to other revenue streams and where Indirect Access had historically been low on SAP’s radar it became a focus. This has also been supported by two key trends. Firstly, the move to interfacing best-of-breed non-SAP applications to SAP, and the emergence of cloud technology and web based platforms extending the use of SAP out beyond the usual boundaries

According to a typical SAP contract, users who indirectly access SAP must have an SAP user license too. There are numerous contractual inclusions or exclusions that could give rise to indirect access risk or protect you from it, and yes, every customers contract is different and different clauses and wording can give rise to Indirect Access risk. Sophisticated organisations specifically define the correlation between indirect access usage and license types in their SAP contracts, either at the initial negotiation before purchase or during annual maintenance. For example, they might write something like, “All indirect access will be classified as user type ESS.” Typically, if a non-SAP system accesses SAP data, the user of that external data needs to be covered by an appropriate SAP license. If you don’t have a clause in your contract, you’d be wise to agree with SAP what constitutes Indirect Usage to avoid any nasty surprises.

“Every customers contract is different and different clauses and wording can give rise to Indirect Accedes risk”

From our experience these are the 5 most asked question about Indirect Access:

1. Are users that access the system directly and indirectly, counted as two different users?

A named user should never be counted twice. Each named-user should have one single named-user license which should cover all their usage of the SAP system even if they have access to multiple systems. The license required for a user accessing SAP both directly and indirectly would depend on the transactions they have access to in either, with the highest level of activity in either system taking precedence when determining the license type required. So no, a user that accesses the system directly and indirectly should not be counted twice, or in licensing terms, should not be allocated two seperate named-user licenses.

2. My data passes through multiple connected systems. Would this be classed as Indirect Access?

It depends on how those systems are connected to the SAP system and whether data is being created, manipulated, or viewed in the SAP system via the connected systems. It also depends on the activity of the users using the system. If they are operating in a way, in terms of their system usage activity that matches any contractual definition of a named-user then they will require the corresponding named-user license to cover that usage.

3. Is there a certain license type applicable to a named-user who is given the required permissions to access the SAP system indirectly?

No, the normal rules behind the assignment of named-users apply. If it is a small community of users are performing business critical activity they may all need a professional license. A large community of users viewing reports may need an ESS (Employee Self-service License), or indeed some form of specially negotiated blanket coverage usage license which provides a degree of flexibility across large external user populations or where user numbers frequently fluctuate.

It is if the individual accessing the SAP software in this manner has a license that covers the activity they perform in the SAP system when accessing it. In principal, there is nothing wrong with using an interface to provide remote access to the SAP systems, where systems security would be a more important consideration.

5. What about when SAP creates Indirect Access instances themselves when performing a systems integration or deployment

SAP may well have been involved in or directly responsible for a third-party system and or performing the integration. Whilst contractually the usage can later be defined as indirect and therefor subject to indirect access licensing fees, any organisation would have a strong case in defending against having to pay these unexpected and un-illustrated fees at a later stage. If these costs had been explained at the time of purchase or implementation the customer may not have proceeded knowing the total licensing fees they would be faced with. JNC have successfully defended clients in this position on that basis.

6. Are Indirect Access claims from SAP negotiable?

Yes, they are! JNC offer a service called Indirect Access Defence, which supports customer facing a claim for Indirect Access from SAP. We perform a detailed contract analysis and usage evaluation with a view to proving compliant usage. If there is a risk the usage in question could be non-compliant we help the customer by quantifying the risk, identifying target outcomes and developing a response and negotiation strategy. Due to the complexities of the contract and differences in interpretations of usage SAP can sometimes get it wrong meaning their claim for Indiorect Access can either be proven to be excessive or completely unsubstanciable. So yes, its negotiable so give it a shot! If you need help, call JNC!

* always check your contract for the terms and rules that govern how you must license your use of the SAP software*

“SAP can sometimes get it wrong meaning their claim for Indirect Access can either be proven to be excessive or completely unsustainable”

Addressing Indirect Access Risk

The following steps are JNC’s recommeneded approach for dealing with Indirect Access. With the potential risks involved, it is always recommended that you seek expert help.

Map the interface environment

The first step is to get a clear picture of the interface environment by mapping all SAP systems, and mapping interfaces both to, from, and between SAP systems. From a technical point of view, you need to map your RFC connections to the organization’s systems. A good starting point would be to map all of the connections in T-Code SM59 (RFC Destinations) and review all incoming RFC connections through T-Code ST03N (Workload and Performance Statistics). Architects, technical managers, systems owners, and integration experts can all collaborate to build this picture. The task to identify Indirect Usage becomes all the more difficult if you have multiple servers and applications spanning different geographies, operation verticals and service lines.

Define the nature of the usage

The nature of the usage needs to be defined by looking at data flows, data origination and the underlying interface technology. Look at the end user environment looking at who is using the connected systems, how they are using those systems, and if data is being created, viewed, or changed in the SAP systems as a result of the usage.

Carry out a contract review

A thorough and detailed contract review needs to be carried out to understand the terms and conditions that impact indirect access usage obligations. As mentioned earlier in the article there are clauses or a lack thereof that can give rise to Indirect Access or protect you from it. With an understanding of these terms and conditions, it is possible then to perform an enterprise wide assessment of all interfaces to determine if that usage gives rise to any Indirect Access liability as defined in the contract.

Perform an Indirect Access risk assessment

With a detailed understanding of indirect systems usage and contractual entitlement, an assessment of licensing risk can then be made on a system-by-system basis. Risk indicators (high, medium, and low for example) can be assigned to all third-party systems. High risk usage can be pro-actively addressed by seeking to procure entitlement from SAP, which will most certainly involve negotiation. It is highly beneficial to approach SAP to discuss your needs rather than be discovered by them, and to come prepared with a clearly defined position and target outcome. For all levels of risk, the risk should be quantified by looking at the potential cost of licensing that usage correctly.

Define Your Risk Response and/or Negotiation Strategy

The low or no risk usage can be dealt with by writing a business case demonstrating compliant usage referring both to the detailed technical and functional evaluation of the usage and the contract analysis. If SAP were to come knocking on your door regarding indirect access you will be prepared to present your business cases to SAP defending your indirect usage as compliant. Demonstrating to SAP that you are knowledgeable and prepared goes a long way to dispelling any further advances and contributes to Vendor Audit Readiness. Where high risk usage is identified, which is most likely non-compliant and the risk response is to present this to SAP to buy entitlement, the act of having the usage under question clearly defined will help your organisation perform better in the negotiations and most likely result in a better licensing deal. Leaving indirect access to be discovered and pursued by SAP could result in significant and unexpected licensing fees.

Managing Indirect Access Risk

Your Indirect Access management strategy has to start somewhere and your current position needs to be discovered first as illustrated above. You must first address and deal with the risk arriving at a position where you have the adequate entitlement to ensure current usage is compliant, which may or may not require the procurement of additional entitlement. From that point forward managing indirect usage involves monitoring and controlling the interface and third-party application environment ensuring that the enterprise systems and technology road-map is developed with a view to the impact on licensing and compliance. There are tools available or management techniques that can be implemented to help create alerts when new interfaces go-live, particularly useful in large, complex global scale organisations.

All key technical and systems stakeholders need to be able to review the deployment of new interfaces, understand licensing risk and understand how to properly license any new deployments. Some deployments may, according to current contractual definitions, be too costly to deploy compliantly. You can then revert to negotiating with SAP to come to a cost effective comprise that satisfies both parties, mitigating future compliance risk and facilitating technology development.

Indirect Access Conclusion

With the continued global uptake in SAP, the issue of Indirect Access has most certainly not peeked. As a result of some high-profile cases and an increase in awareness within the SAP eco-system, far more organisations are taking action to deal with Indirect Access risk. Some in response to a claim that has been presented by SAP and some with the foresight to address it pro-actively to identify any risk, quantify potential license fee exposure, take appropriate steps to mitigate the risk and minimise their potential exposure. The key to successfully dealing with Indirect Access risk is to get informed, put in place an Indirect Access action plan, and be prepared for a licensing audit.

“The key to successfully dealing with Indirect Access risk is to get informed, put in place an Indirect Access action plan, and be prepared for a licensing audit”

What You Need to Know Before you hit the Send Button!

To begin with, should I rely blindly on the measurement results? …NEVER!

That’s a tough statement, but let me explain. The measurement program, a.k.a transaction USMM for the techies, is a built-in tool that helps all SAP systems produce the information needed to determine the use of the SAP software. The tool only determines the number of users and the used SAP products (the so-called “packages” or “engines”).

The results from your measurement are then compared to the terms of your SAP contracts. SAP’s verdict is often quite straightforward: You are compliant, or you are not … This verdict is based on what you deliver to SAP. So you can hardly underestimate the importance of sending correct info.

“In 2015, SAP released 47 SAP notes on issues related to the measurement program. Not following these developments will only play against you.”

USMM Results

“Where do these results come from?” or “I didn’t know we were using that product, did you?” are questions which are often heard when the USMM results appear on your screen. In the USMM results, two areas of major importance need your attention: The Users part and the Engines part.

The Users part reflects the different License Types of Named Users and counts the number of users assigned to each of them. An odd situation would be that you see “newcomers”, i.e license types you don’t know. You should investigate what they are. Errors should be corrected as soon as possible or valid new license types agreed on with SAP. If the last situation is correct, you should check your entitlement. Using named user license types which are not known in the agreements between you and SAP, result in non-compliancy.

The Engines part is more difficult to monitor. In fact, there are three scenarios:

Engines which are – according to you – not in use but show results.

Engines which are in use but show strange results (too high/too low).

Engines which are in use but without any results.

Of course, not all of these situations look bad but you should keep in mind that SAP analyses those figures as well. Strange results also trigger their attention.

“Keeping your measurement tools up-to-date is the best guarantee to deliver true and accurate results to SAP.”

So, what can you do?

For engines which are popping up without any immediate explanation or with odd numbers, you should first check the SAP Support Portal for relevant SAP Notes. Tip: search on the engine ID for targeted results. Implement notes if necessary and potentially helpful. Also, check the available information on engines in the SAP Support Portal under Global License Auditing Service. If changes, errors, or updates have taken place for certain engines, information is normally added to the documentation on the engine ID information sheet.

Don’t forget to consult your functional SAP consultants as well. New engine ID’s don’t necessarily mean errors in the program. New functionalities can be in use as well or existing ones can be used more extensively (higher numbers) or are about to retire (lower numbers). All of these scenarios require an appropriate action.

Keep in mind that not everything can be measured by the SAP tools. “OK, so we start counting ourselves?”. That’s basically it. Engines with an engine ID starting with “N” are to be measured by the client. SAP normally sends out the templates to be filled in together with the yearly measurement request. So, if you see engine ID’s with an “N” without measurement results, you know there’s work to be done!

Key Points

Do not push the “send” button right away after the measurement is completed! Challenge the results, and take appropriate actions to ensure that what you are sending to SAP is an accurate reflection of usage.

Keep your measurement tools safe and sound. They are SAP programs which need updates/changes/fixes as well.

Keep an eye on the SAP Support Portal for detailed information on the measurement process.

Take Away Message

Know your measurement program, don’t just rely on what the output of the tool tells you. Challenge the results and find current information on the SAP license audit and the measurement tools (USMM and LAW – oh yes, that one also!) on the SAP Support Portal. Also, check for SAP Notes regularly. Understand the changes the in the SAP landscape and make sure these are reflected in the measurement plan. Remember, not everything is measurable from within the system and sometimes self-declaration is needed. Be wary, speak to an actual SAP licensing specialist and have them perform an independent check to ensure that all results are correct.

Categories

The SAP logo displayed on this website are the trademark(s) or registered trademark(s) of SAP SE in Germany and in several other countries. SAP is a registered trademark of SAP AG in Germany and in several other countries all over the world.

About JNC - The SAP & GRC Consultancy Experts

As a premium security and compliancy consulting firm we strive to deliver and execute our client’s cost effective SAP compliancy projects whilst positioning them to ensure adequate and robust cost control mechanisms.
Our company portfolio has a range of clients from a multitude of sectors from across the world where we advise and nurture our clients through a range of difficulties in a wide range of tasks.
JNC strives to deliver excellence on all levels and believes in a 360° approach when performing all activities to ensure our clients are compliant in all areas.

JNC have locations in three cities across the continent.

You can find out more about which cookies we are using or switch them off in settings.

Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

You can adjust all of your cookie settings by navigating the tabs on the left hand side.

Strictly Necessary Cookies

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.

Keeping this cookie enabled helps us to improve our website.

Please enable Strictly Necessary Cookies first so that we can save your preferences!